CPIO存储服务器不安全文件创建漏洞

漏洞信息详情

CPIO存储服务器不安全文件创建漏洞

• CNNVD编号：CNNVD-199607-005
• 危害等级： 低危
  
  
• CVE编号：
  CVE-1999-1572
  
• 漏洞类型：
  
  
  设计错误
  
• 发布时间：
  
  1996-07-16
  
• 威胁类型：
  
  
  本地
  
• 更新时间：
  
  2005-10-20
  
• 厂        商：
  
  ubuntu
• 漏洞来源：
  Georg-W. Kolterman…

FreeBSD 2.1.0， Debian GNU/Linux 3.0以及可能还包括其他操作系统的cpio，在使用-O (存档)或者-F选项创建文件时会使用一个0 umask，创建了带有0666模式的文件，本地用户可以利用该漏洞读取或覆盖这些文件。

The vendor has released an upgrade dealing with this issue.
Ubuntu linux has released an advisory (USN-75-1) dealing with this issue. Please see the referenced advisory for more information.
Debian linux has released an advisory dealing with this issue. Please see the referenced advisory for more information.
Mandrake has released an advisory (MDKSA-2005:032) to address this issue. Please see the attached Mandrake advisory for details on obtaining and applying fixes. Update (02/12/05): Mandrake has re-released advisory MDKSA-2005:032 as MDKSA-2005:032-1 to correct a problem (they would not install with rpmdrake) with fixes for Mandrake 10.1. See the references section.
Trustix has released advisory TSLSA-2005-0003 to address various issues in multiple products. Please see the referenced advisory for more information.
Red Hat has released advisory RHSA-2005:080-06 to address this issue. Please see the advisory in Web references for more information.
Silicon Graphics has released advisory 20050204-01-U dealing with this and other issues for their Advanced Linux Environment packages. Please see the referenced advisories for more information.
Turbolinux has released advisory TLSA-2005-30 to address this issue. Please see the referenced advisory for more information.
Conectiva has released security advisory CLSA-2005:1002 addressing this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates.
Avaya has released advisory ASA-2005-212 to indicate that Avaya CVLAN and Integrated Management products are vulnerable to this issue. Customers are advised to apply patches supplied by vendors of the underlying operating systems. Please see the referenced advisory for more information.
RedHat has released security advisory RHSA-2005:806-8 addressing this issue for their Enterprise and Advanced Workstation editions. Users are advised to see the referenced Web advisory for further information.
GNU cpio 1.0

• GNU cpio 2.6
  
  http://ftp.gnu.org/gnu/cpio/cpio-2.6.tar.gz

GNU cpio 1.1

• GNU cpio 2.6
  
  http://ftp.gnu.org/gnu/cpio/cpio-2.6.tar.gz

GNU cpio 1.2

• GNU cpio 2.6
  
  http://ftp.gnu.org/gnu/cpio/cpio-2.6.tar.gz

Turbolinux Turbolinux Server 10.0

• TurboLinux cpio-2.5-4.i586.rpm
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/up
  dates/RPMS/cpio-2.5-4.i586.rpm
• TurboLinux cpio-debug-2.5-4.i586.rpm
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/up
  dates/RPMS/cpio-debug-2.5-4.i586.rpm

来源: XF
名称: cpio-o-archive-insecure-permissions(19167)
链接:http://xforce.iss.net/xforce/xfdb/19167

来源: TRUSTIX
名称: 2005-0003
链接:http://www.trustix.org/errata/2005/0003/

来源: REDHAT
名称: RHSA-2005:080
链接:http://www.redhat.com/support/errata/RHSA-2005-080.html

来源: REDHAT
名称: RHSA-2005:073
链接:http://www.redhat.com/support/errata/RHSA-2005-073.html

来源: www.freebsd.org
链接:http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/1391

来源: DEBIAN
名称: DSA-664
链接:http://www.debian.org/security/2005/dsa-664

来源: OVAL
名称: oval:org.mitre.oval:def:10888
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10888

来源: REDHAT
名称: RHSA-2005:806
链接:http://www.redhat.com/support/errata/RHSA-2005-806.html

来源: MANDRAKE
名称: MDKSA-2005:032
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2005:032

来源: support.avaya.com
链接:http://support.avaya.com/elmodocs2/security/ASA-2005-212.pdf

来源: SECUNIA
名称: 17532
链接:http://secunia.com/advisories/17532

来源: SECUNIA
名称: 17063
链接:http://secunia.com/advisories/17063

来源: SECUNIA
名称: 14357
链接:http://secunia.com/advisories/14357

来源: BUGTRAQ
名称: 20050204 [USN-75-1] cpio vulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=110763404701519&w=2